List: What are insider threats and how can your business stop them?
The insider threat, simply meaning a threat that comes from within an organisation, is a growing concern for cyber security practitioners.
Unlike with external threats such as hackers or the latest malware, organisations can not simply buy a shiny new antivirus or firewall product and rest assured that they have it covered.
This is because the insider threat can follow any number of patterns. There are both malicious and inadvertent insider threat actors in abundance.
On the inadvertent side, 65 percent of office workers use a single password among applications, according to the 2016 Market Pulse report commissioned by SailPoint. The survey also found that a third of employees shared passwords with co-workers, while 26 percent admitted to uploading sensitive information to cloud apps with the aim of sharing it outside the company.
On the malicious side, the survey revealed that nearly one in five employees would sell passwords to an outsider.
In the UK specifically, 16 percent of respondents would sell their passwords, while 56 percent would sell their passwords for £700 or below.
How can security professionals counter both types of threat?
1. Data protection
One solution to the insider threat problem is establishing controls over the organisation’s confidential data, so that it cannot leave the organisation without a good reason.
This effectively renders the unintentional or intentional question moot.
Guy Bunker of Clearswift argues that the solution is adaptive threat redaction, which automatically seeks out and blocks sensitive information at whichever point it is exiting the corporate network.
Critical information will be picked up if the employee tries to send it out through email, upload it to the web or download it onto a USB stick.
The context is used to define whether a piece of information is sensitive or private. A 16-digit number may not necessarily be a credit card number. The context will provide certain clues such as an expiry date or a name that will identify it as such.
“Forwarding your CV would be fine, but anything from credit card data, employee data, intellectual property or mergers and acquisitions will be flagged and blocked, helping to prevent large-scale breaches,” says Sian John, Security Strategist at Symantec, of data loss protection.
Another effective way of building an approach around enterprise data is to encrypt data when it is travelling around the network, which will protect not just against cyber-attacks but also physical attacks on the network, such as criminals accessing fibre connections.
“By encrypting at the lowest level, the optical transport layer, companies ensure all data is safe-guarded without the need for multiple application-specific solutions, which are time-consuming, add service latency and increase the overall risk of some data leaving the premises un-protected,” says Ciena’s CTO of EMEA, Joe Marsella.
While the malicious insider threats are very determined to get what they want, non-malicious insiders endanger data by making a mistake. This can be due to working on personal devices or using consumer apps without having been provided with the correct tools to work safely, or simply due to not knowing that what they are doing is risky.
They will often upload data to consumer applications, something that is referred to as ‘shadow IT’.
It should go without saying that strong policies can do a lot to mitigate this side of the insider threat.
A starting point would be establishing a dialogue with employees to discover what tools they require and why. Rather than simply imposing a set of applications on a workforce, employers could find out what the workforce needs to do its job. Then they can provide applications but ensure that they are used safely.
Employers should also provide training in cyber security “hygiene”, including lessons in how to recognise phishing emails. This could include a website providing advice on recognising a suspicious email or showing employees examples of phishing emails.
3. Device protection
Enterprise mobility is another factor in creating cyber risk. Having begun with employees bringing their consumer devices into their working lives for more convenient and satisfying ways of working, the fact that employees will use smartphones and tablets in the workplace is now almost universally accepted.
What does not need to be accepted is the risk attached to this.
If employers would rather employees brought in their own devices, as part of a Bring Your Own Device (BYOD) policy, then some sort of mobile device management solution is necessary.
An organisation might also choose to issue devices to the workforce, giving them greater control over the security policies in place, but also over the quality of security on the devices themselves. The IT department is free to find the balance of user experience and security that the business requires.
For example, remote device wiping, which allows the IT department to remove all information on a device, means that an iPad left on a train by a careless employee will not turn into a damaging leak.
4. Network monitoring
Establishing controls and visibility over the corporate network is another effective way of stopping malicious threat actors.
As Matt Warmsley, EMEA Director of Vectra Networks says, trusted insiders already have credentials for accessing network resources.
With both external and insider threats, Warmsley says, “detecting a threat requires security teams to proactively identify when a host behaves abnormally or in a way that could expose data or assets.
“There is a need to track the flow of data within a network to proactively identify the acquisition, staging, and stealing of data, regardless of whether it’s driven by an insider or an outsider.”
Using automated tools to analyse traffic and monitor for unusual behaviour can help IT departments zone in on which employees constitute a risk to the organisation. By establishing a baseline of normal behaviour, the aberrations which represent a cyber threat (for example, visits to unusual websites or attempts to force access to an area they do not normally access would be strong indicators).